An Empirical Evaluation of Continuous Authentication and Anomaly Detection Using Mouse Clickstream Data Analysis

Abstract

This research focuses on continuous user authentication and anomaly detection using mouse dynamics. This dissertation is organized into two phases. The first phase focuses on continuous authentication on the user’s desktop platform. The second phase investigates online continuous authentication and anomaly detection. The first phase is continuous authentication of a user on the desktop platform, using analysis of mouse clickstream data. In this phase, an empirical evaluation of several classification techniques is conducted on a mouse dynamics dataset, the Balabit Mouse Challenge dataset. User identification is carried out using three mouse actions: mouse move, point and click, and drag and drop. Verification and continuous authentication are conducted using three machine-learning classifiers: the Decision Tree classifier (DT), the K-Nearest Neighbors classifier (KNN), and the Random Forest classifier (RF). The results show that the three classifiers can distinguish between a genuine user and an impostor with a relatively high degree of accuracy. In verification mode, all the classifiers achieve a perfect accuracy of 100%. In authentication mode, all three classifiers achieved high accuracies (ACCs) and Area Under Curves (AUCs) using only the point-and-click action data: (DT: ACC: 95.0%, AUC: 94.7%), (KNN: ACC: 99.3%, AUC: 99.9%), and (RF: ACC: 89.9%, AUC: 92.5%). The second phase is online continuous authentication and anomaly detection. This phase started by gathering a set of online mouse-dynamics information from 20 participants by using software developed for collecting mouse dynamics information; approximately 87 features were extracted from the raw data set. Then the efficacy of continuous authentication systems and anomaly detection systems was studied using three traditional machine-learning algorithms and a deep- learning algorithm: the Decision Tree classifier (DT), the K-Nearest Neighbors classifier (KNN), the Random Forest classifier (RF), and the Convolutional Neural Network classifier (CNN). User 1 identification was determined by using three scenarios: Scenario (A), a single mouse-movement action; Scenario (B), a single point-and-click action; and scenario (C), a set of movement and point-and-click actions. The results show that each classifier is capable of distinguishing between an authentic user and a fraudulent user with a comparatively high degree of accuracy. In the continuous authentication phase, these are the typical accuracies (ACC) achieved in scenario A (single mouse-movement action): DT: ACC: 94.6%, KNN: ACC: 98.0%, RF: ACC: 97.9%, and CNN: ACC: 98.8%. In the anomaly detection phase, the typical accuracies also obtained in scenario A (single mouse-movement action): DT: ACC: 92.2%, KNN: ACC: 98.2%, RF: ACC: 98.0%, and CNN: ACC: 98.5%.